the 2016 ponemon cost of a data breach study
TRANSCRIPT
Key findings from the 2016 Cost of Data Breach Study: Global Analysis BENCHMARK RESEARCH SPONSORED BY IBM INDEPENDENTLY CONDUCTED BY PONEMON INSTITUTE JUNE 2016
2 IBM Security
Introducing our speakers
Adam Trunkey, Portfolio Marketing Security Services, IBM Security [email protected]
Larry Ponemon Chairman and Principal The Ponemon Institute [email protected]
3 IBM Security
The 2016 Cost of Data Breach Study covered 383 companies in 12 countries and 16 industries
Countries Industries
Hospitality, 2% Media, 2%
Health, 2% Life science, 2%
Transportation, 4% Communications, 4%
Energy, 5%
Consumer, 7%
Public, 8%
Retail, 9%
Financial, 14%
Industrial, 14%
Services, 12%
Technology, 12%
Research, 1% Education, 1% South Africa
5% Italy 6%
Canada 6%
Arabian Cluster 6%
Australia 7%
Japan 7%
France 8% Germany 9%
Brazil, 8%
India, 10%
United Kingdom, 11%
United States, 17%
4 IBM Security
Understanding these will help you understand the report findings
A mega-breach of more than 100,000 records is not considered typical. The cost data in this study cannot be used to calculate the financial impact of a mega-breach over 100,000 records.
Data breach An event in which an individual’s name plus a medical record or financial record or debit card is potentially at risk
Data record Information that identifies the natural person (individual) whose information has been lost or stolen in a data breach
Incident For this study, a data breach involving between approximately 3,000 to 100,000 compromised records
Participants Organizations that experienced a data breach within the target size range
Benchmark research The unit of analysis is the organization; in a survey, the unit of analysis is the individual
5 IBM Security
Key finding: the cost of a data breach continues to rise
Global average Global average
$158 15% since 2013 $4M 29% since
2013
Highest countries Lowest countries Highest countries Lowest countries
$221
$213 UNITED STATES
GERMANY
$100
$61 BRAZIL
INDIA
Cost per record Cost per incident
$7M
$5M UNITED STATES
GERMANY
$1.8M
$1.6M SOUTH AFRICA
INDIA
Currencies converted to US dollars
6 IBM Security
Growth in four areas contributed to the increase in data breach cost
5.4%
3.2%
2.9%
2.9%
Average total cost
Average size
Abnormal churn
Per record cost
Abnormal customer churn—customers lost following a data breach—translates into lost business
Percent of increase over 2015
Currencies converted to US dollars
7 IBM Security
The largest component of the total cost of a data breach is lost business
Detection and escalation $1.09 million
Notification $0.18 million
Lost business cost $1.63 million
Ex-post response $1.10 million
Components of the $4 million cost per data breach
$4 million
Forensics, root cause determination, organizing incident response team, identifying victims
Disclosure of data breach to victims and regulators
Help desk, inbound communications, special investigations, remediation, legal expenditures, product discounts, identity
protection service, regulatory interventions
Abnormal turnover of customers, increased
customer acquisition cost, reputation losses,
diminished goodwill
Currencies converted to US dollars
8 IBM Security
The per-record cost of a data breach varies widely by industry
$80
$112
$129
$131
$133
$139
$145
$148
$156
$164
$172
$195
$208
$221
$246
$355
Public
Research
Transportation
Media
Consumer
Hospitality
Technology
Energy
Industrial
Communications
Retail
Life science
Services
Financial
Education
Healthcare
Healthcare and finance experienced larger costs
Average cost per record breached Currencies converted to US dollars
9 IBM Security
Time to identify and time to contain a data breach also affect cost
$3.18
$4.35
MTTC < 30 days MTTC ≥ 30 days
$3.23 $4.38
MTTI < 100 days MTTI ≥ 100 days
Mean time to identify (MTTI) Mean time to contain (MTTC) (The time it takes to detect that an incident has occurred)
(The time it takes to resolve a situation and ultimately restore service)
Total cost, in millions Total cost, in millions
Currencies converted to US dollars
10 IBM Security
Hackers and criminal insiders cause the most data breaches
Malicious or criminal attack
48%
Human error
25%
System glitch
27%
$133 per record to resolve
$170 per record to resolve
$138 per record to resolve
Currencies converted to US dollars
11 IBM Security
The incidence of malicious attack varies considerably by country
60%
54%
52%
52%
51%
50%
50%
46%
46%
41%
39%
37%
24%
21%
26%
30%
24%
27%
23%
27%
25%
35%
30%
26%
16%
25%
22%
18%
24%
23%
27%
27%
29%
24%
30%
37%
Arabian Cluster
Canada
Japan
Germany
United Kingdom
United States
France
Australia
Italy
India
Brazil
South Africa
Malicious or criminal attack System glitch Human error
12 IBM Security
Organizations in certain countries are more likely to experience a data breach of 10,000 or more records over a two-year period
15%
16%
17%
22%
23%
24%
24%
31%
31%
32%
33%
40%
Germany
Australia
Canada
Italy
United Kingdom
Japan
United States
Arabian Cluster
India
France
South Africa
Brazil
Average likelihood of experiencing a breach of 10,000 or more records over a two-year period
26%
Probability that an organization will experience a data breach over two-year period
13 IBM Security
Key factors that you can apply to help reduce the cost of a data breach
$7.00
$8.00
$9.00
$9.00
$9.00
$13.00
$16.00
CISO appointed
Extensive data leak protection
Business Continuity Management involvement
Participation in threat sharing
Employee training
Extensive use of encryption
Incident response team
All cost savings have increased over the last year
Amount by which the cost-per-record was lowered Currencies converted to US dollars
14 IBM Security
Seven global megatrends have emerged from 11 years of cost of data breach research studying 2,013 organizations
1 This is a permanent cost that organizations must be ready to deal with
Lost business is the biggest financial consequence of a data breach
Criminal and malicious attacks are the most common, costly and difficult to address causes
Cost is directly related to the time it takes to detect and contain a breach
5 Regulated industries such as healthcare and financial services have the most costly breaches
Improvements in data governance programs will reduce the cost of a data breach
Data loss prevention technologies are important for preventing data breaches
234
67
15 IBM Security
Read the full report to learn more
Visit ibm.com/security/data-breach and register to receive the global study or a country-specific study
Visit ibm.com/security/services to learn how IBM Security Services can help protect your organization
Visit www.ponemon.org to learn more about Ponemon Institute research programs
16 IBM Security
Questions:
Q+A
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
FOLLOW US ON:
THANK YOU
SEP03395-USEN-00
Appendix
19 IBM Security
Total cost of data breach over four years
$3.02
$3.52 $3.79
$4.00
2013 2014 2015 2016 Total average cost ($millions)
Currencies converted to US dollars
20 IBM Security
2016 total cost of data breach, by country
$1.60
$1.87
$1.92
$2.44
$3.26
$3.30
$3.95
$4.61
$4.72
$4.98
$5.01
$7.01
India
South Africa
Brazil
Australia
Italy
Japan
United Kingdom
Arabian Cluster
France
Canada
Germany
United States
Currencies converted to US dollars Total average cost per country ($millions)
21 IBM Security
Per-record cost of a data breach since 2013
$136
$145
$154
$158
2013 2014 2015 2016 Average cost per record
Currencies converted to US dollars
22 IBM Security
2016 per-record cost of a data breach
$61
$100
$101
$131
$122
$142
$156
$159
$196
$211
$213
$221
India
Brazil
South Africa
Australia
Arabian Cluster
Japan
Italy
United Kingdom
France
Canada
Germany
United States
Average cost per record, per country